MaxTokenSize (incomplete context) indicates that the protocol could not perform all legs of authentication. In this case, (incomplete context) was returned because the server was specified as server 1, but the test was run under the user account. However, this is still a reasonable estimation of the maximum token size required for this user to authenticate to server 1.

• Asked for delegate, but didn’t get it indicates that delegation was not used. This happens if the target server is not trusted for delegation, or if the user account has the Account is sensitive and cannot be delegated option selected.

• MaxToken (complete context) indicates that all authentication legs have been completed, and that this is a reliable value for maximum token size for server 1.

Example 3: Using /calc_groups
To calculate group membership for user 1:

• Type the following at the command line:

tokensz /calc_groups user1

When you press ENTER, the tool returns a list of Kerberos token contents. In this example, the following output is displayed: